Website Health Check
Scanned 02/03/2026
HTTPS & TLS
A+ (100%)TLS 1.2 is supported. Learn more ↗
TLS 1.3 is supported (latest version, best performance). Learn more ↗
TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more ↗
TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more ↗
Valid SSL certificate from Amazon - Amazon RSA 2048 M01, expires in 361 days. Learn more ↗
Security Headers
C (55%)HSTS enabled with max-age=31536000, includeSubDomains. Learn more ↗
X-Content-Type-Options is set to nosniff. Learn more ↗
X-Frame-Options header is missing. Page may be embedded in iframes (clickjacking risk). Learn more ↗
Referrer-Policy is set to "no-referrer, strict-origin-when-cross-origin" which may leak URL information. Learn more ↗
Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more ↗
Cross-Origin-Opener-Policy header is missing. Page may be accessed by cross-origin windows. Learn more ↗
Cross-Origin-Resource-Policy header is missing. Resources may be loaded by any origin. Learn more ↗
Access-Control-Allow-Origin is set to wildcard (*). Any origin can make cross-origin requests. Learn more ↗
Content Security Policy
B (75%)CSP exists but missing default-src or script-src directive. Learn more ↗
CSP does not use unsafe-inline. Learn more ↗
CSP does not use unsafe-eval. Learn more ↗
Permissions Policy
F (0%)No Permissions-Policy or Feature-Policy header found. Browser features like camera, microphone, and geolocation are unrestricted. Learn more ↗
Server Security
A+ (100%)No Server header present (good — no server information disclosed). Learn more ↗
Domain is not listed on any of the 3 DNS blacklists checked. Learn more ↗
No common admin or sensitive paths are publicly exposed. Learn more ↗
Content Security
A (80%)No mixed content detected. All resources use HTTPS. Learn more ↗
1 redirect across 2 domains. Moderate redirect chain. Learn more ↗
Email Security
A (80%)SPF record found: v=spf1 mx include:spf-00814f01.pphosted.com include:au._netblocks.mimecast.com include:spf.protectio... Learn more ↗
DMARC policy set to "quarantine" — spoofed emails may be flagged. Consider upgrading to "reject". Learn more ↗
DKIM record found for selectors: selector1, selector2. Learn more ↗
Recommendations
- 1mediumAdd a Permissions-Policy header restricting camera, microphone, geolocation, and payment.
- 2mediumAdd X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking.
- 3mediumAdd a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.
- 4mediumAdd a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.
- 5mediumAdd a Cross-Origin-Resource-Policy: same-origin header to prevent your resources from being loaded by other origins.
- 6mediumImplement a Content-Security-Policy header with at least default-src and script-src directives.
- 7mediumSet Referrer-Policy to strict-origin-when-cross-origin or stricter.
- 8mediumReduce the number of redirects in your URL chain. Excessive redirects slow page loads and may indicate URL obfuscation.
- 9mediumAdd a DMARC record with p=reject at _dmarc.yourdomain.com to block spoofed emails.
- 10mediumRestrict Access-Control-Allow-Origin to specific trusted origins instead of using wildcard (*).
This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.